[rmunn]

Quote from the article (emphasis in original): "Our target for a suitable exploit delivery vehicle is open-source applications where the collection and distribution of high-frequency mouse data is not inherently suspicious. Therefore, creative software, video games, and other high performance, low latency software are an ideal targets for injecting our exploit."

My comments: yes, because exploits being injected into open-source software are famous for not being discovered. Obviously it can happen (look at xz, or the recent Shai-Hulud worm on NPM), and it's entirely possible that it has happened to other places that weren't discovered. But with xz the exploit was caught quickly enough that it didn't reach production, and with Shai-Hulud it was contained within days despite having the potential to spread to every package. I doubt that anyone trying to stick this kind of thing into open-source software would get away with it. Closed-source software, OTOH, would be a far more likely distribution vector. Just persuade some overworked dev that he should use this handy library that tracks high-precision mouse movement in his game, and you've injected your exploit.

[charcircuit]

It's easier to hide this in plain sight instead of being a secret. Take for example table top simulator, it has the ability to show where other people's cursors are so you can follow what other players are doing. If this streamed the mouse location at a high enough frequency, you now have the data needed being sent to everyone else in the same lobby. Synchronizing mouse cursors or player look vectors is a common feature and it may not be obvious that sensitive data is actually being streamed to the person doing the review.

[7e]

Heartbleed was in production for two years. Log4Shell was in the wild for 8. ShellShock for 20. The fact that some exploits are discovered quickly is not in any way a proof that nobody can get away with it. You may argue that these vulnerabilities are unintentional. I would say distinction without difference.

[LorenzoGood]

Yes but this is discussing deliberately injecting malware into an open source project, which differs from exploiting a vulnerability that exists in one.